Security Now 1013: Chrome Web Store is a mess

Summary

Security Now 1013: Chrome Web Store is a Mess

Released on February 19, 2025 by TWiT.tv Shows (Audio)

Hosts:

Leo Laporte
Steve Gibson

1. Introduction

In this episode of Security Now, host Leo Laporte and guest Steve Gibson delve into a range of pressing security issues. The primary focus centers around the tumultuous state of the Chrome Web Store, alongside discussions on encryption backdoors, ransomware threats, and recent updates from major tech companies like Google and Apple.

2. UK Apple Encryption Backdoor and US Response

[00:00 - 03:52]

Leo introduces the episode by highlighting several key topics, including the controversial request from the UK for Apple to implement a backdoor in its encryption.

Key Points:

The UK's demand for Apple to create a backdoor into its encryption has sparked significant debate.
US lawmakers, including Senator Ron Wyden and Representative Andy Biggs, have criticized the UK's request, labeling it as an "effective foreign cyber attack."

Notable Quote:

Steve Gibson [10:52]: "If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans' phones, tablets, and computers, undermining the security of Americans' data as well as of the countless federal, state, and local government agencies that entrust sensitive data to Apple products."

3. Discussion on the Term 'Backdoor'

[10:14 - 25:58]

Steve Gibson expresses his discomfort with the term "backdoor," arguing that it inaccurately describes the UK's request. He suggests that the correct term should reflect an intentional bypass of encryption without implying secrecy.

Key Points:

The term "backdoor" traditionally implies a secret method of bypassing security, which doesn't align with the UK's transparent legal request.
Gibson proposes alternative terminology to more accurately describe the requested encryption bypass.
Apple and Google have historically opposed any form of encryption bypass, emphasizing the importance of maintaining data security.

Notable Quote:

Steve Gibson [21:38]: "They want Apple to be holding keys. Apple has said we don't want to be holding keys because that, you know, we don't want that responsibility."

4. Windows Security Updates

[25:35 - 36:24]

Steve provides an overview of recent Windows patches, detailing the nature and severity of the flaws addressed.

Key Points:

February's Windows updates addressed 63 flaws, including two actively exploited zero-days.
The vulnerabilities ranged in severity, with some allowing elevation of privileges and potential remote code execution.
Microsoft has also patched 23 flaws in the Chromium-based Edge browser.

Notable Quote:

Steve Gibson [133:15]: "The problem is useful extensions will usually request 'give me the keys to the kingdom' permission, so these permissions always need to be granted. Essentially, this renders permission prompts useless."

5. Ransom Hub Ransomware Analysis

[41:44 - 53:26]

The discussion shifts to the latest ransomware threat from the group known as Ransom Hub.

Key Points:

Ransom Hub has compromised over 600 organizations across various sectors, including healthcare and finance.
The group leverages previously patched vulnerabilities in Microsoft's Active Directory and NetLogon protocols to escalate privileges.
They employ a Ransomware-as-a-Service (RaaS) model, incentivizing affiliates with an 88% share of ransom proceeds.

Notable Quote:

Steve Gibson [42:18]: "Nobody in the world is aware about the data leak from your company except you and Ransom Hub."

6. Toad Attack (Telephone Oriented Attack Delivery) and Google's Prevention

[54:01 - 62:23]

Steve introduces a new class of attacks termed "TOAD" (Telephone Oriented Attack Delivery), which Google is actively working to mitigate.

Key Points:

Toad attacks involve fraudsters instructing users to change sensitive settings during phone calls to install malicious apps.
Google’s Android 16 Beta 2 includes features that block app sideloading during active phone calls to thwart these attacks.
This preventive measure aims to add friction to common social engineering tactics used by cybercriminals.

Notable Quote:

Steve Gibson [55:48]: "It's a deliberate shutdown in the phone's multitasking system."

7. Texas vs DeepSeek Investigation

[62:23 - 73:38]

The episode covers Texas Attorney General Ken Paxton's investigation into the Deep Seek app, highlighting concerns over data privacy and national security.

Key Points:

Deep Seek, developed by a company with alleged ties to the Chinese Communist Party (CCP), has been banned on Texas government devices.
Concerns revolve around the app's potential to censor information critical of the Chinese government and compromise user data.
New York State and Virginia have also blocked Deep Seek on government devices.
Bipartisan efforts are underway to introduce legislation banning Deep Seek for federal workers.

Notable Quote:

Steve Gibson [68:01]: "Deep Seek appears to be no more than a proxy for the CCP... to undermine American AI dominance."

8. Apple's Restricted Mode and Recent Updates

[73:38 - 86:50]

Steve discusses Apple's restricted mode, recent vulnerabilities, and fixes aimed at enhancing device security.

Key Points:

Apple introduced restricted mode to limit data access on locked devices, especially after prolonged inactivity.
A recently patched vulnerability allowed attackers to disable restricted mode, potentially accessing sensitive data.
Apple’s commitment to security includes blocking data access to devices locked for over an hour, even against sophisticated attacks.
The vulnerability affected a range of Apple devices but has since been addressed in the latest updates.

Notable Quote:

Steve Gibson [85:12]: "The vulnerability as described could have been used to enable unlocking technology similar to that that's in Cellebrite's products, which... allows snoopers to break in devices when they have physical access to them."

9. Story of Lost Bitcoin Wallet

[86:50 - 84:49]

Leo recounts the story of James Howells, who lost a hard drive containing a significant Bitcoin wallet, illustrating the risks of data management.

Key Points:

James Howells misplaced a hard drive containing an $800 million Bitcoin wallet, likely discarded in a landfill.
Despite court battles and offers to purchase the landfill, efforts to recover the drive have been unsuccessful.
The incident underscores the importance of secure data storage, especially for cryptocurrency.

Notable Quote:

Steve Gibson [78:19]: "The wallet contains 8,000 bitcoins. Bitcoin now worth around $100,000 each. Ouch. That's gotta hurt."

10. Chrome Web Store is a Mess

[86:50 - 143:43]

The centerpiece of the episode is a critical analysis of the Chrome Web Store by Wladimir Pallant, a seasoned browser extension developer.

a. Wladimir Pallant's Analysis

Key Points:

Pallant criticizes Google's moderation of the Chrome Web Store, pointing out that automated reviews are insufficient.
Malicious extensions continue to thrive due to ineffective detection and inconsistent human moderation.
Extensions like Reforest and Karma remain available despite evidence of deceptive practices and data exploitation.
The Featured Badge system is compromised, allowing malicious extensions to appear reputable.

Notable Quotes:

Wladimir Pallant [133:15]: "Google's over-reliance on automated tools caused issues from the very start, and it certainly didn't get any better."

Steve Gibson [145:00]: "How could Google get into this mess? Chrome Web Store is a mess."

b. Issues with Chrome Web Store Moderation

Key Points:

Automated systems fail to adequately detect and remove malicious extensions.
Human moderation is inconsistent and often reactive rather than proactive.
Policy loopholes allow extensions to exploit user data without immediate repercussions.
Review spamming tactics inflate the credibility of malicious extensions through fake positive reviews.

Notable Quote:

Wladimir Pallant [133:15]: "For a decade my recommendation for Chrome users has been to stay away from Chrome Web Store if possible."

c. Malicious Extensions and Fake Reviews

Key Points:

Extensions often receive inundated positive reviews artificially, masking their malicious intent.
Pallant highlights specific extensions like BlazeVPN and Safeum VPN, which continue to receive the Featured Badge despite being non-functional or malicious.
The lack of effective review cleansing undermines user trust and the overall security of the Chrome ecosystem.

Notable Quote:

Wladimir Pallant [92:51]: "Chrome Web Store is a mess. It's frustrating and dangerous for users."

d. Featured Extensions and Their Credibility

Key Points:

The Featured Badge is misleading, as extensions with questionable or malicious practices still receive this designation.
Pallant cites examples where featured extensions perform no legitimate functions yet are promoted heavily within the store.
Google's inability to maintain the integrity of featured extensions contributes to the overarching mess.

Notable Quote:

Steve Gibson [143:43]: "The title Wladimir gave to his extremely informative blog posting of Chrome Web Store is a mess. Seems entirely fitting."

11. Conclusion

Steve Gibson wraps up by emphasizing the need for users to be vigilant when installing browser extensions, especially from the Chrome Web Store. He underscores the importance of understanding the security implications and the necessity of using trusted platforms, like Mozilla's Firefox with its more reliable extension moderation.

Notable Quote:

Steve Gibson [143:43]: "We are individually on our own, knowing all the things that are wrong... so stick with a also-ran browser where the browser I'm using is not as big a target as Chrome."

12. Additional Insights and Recommendations

Use Trusted Browsers: Given the security issues with Chrome Web Store, users are encouraged to use browsers with more rigorous extension reviews.
Be Cautious with Permissions: Extensions often request extensive permissions that can compromise user data. Users should critically assess why an extension needs certain permissions.
Monitor Extension Activity: Regularly review installed extensions and remove those that are unnecessary or suspicious.
Support Greater Moderation Efforts: Advocate for improved moderation practices in browser extension stores to enhance overall security.

End of Summary

Summary

Security Now 1013: Chrome Web Store is a Mess

Released on February 19, 2025 by TWiT.tv Shows (Audio)

Hosts:

Leo Laporte
Steve Gibson

1. Introduction

2. UK Apple Encryption Backdoor and US Response

[00:00 - 03:52]

Leo introduces the episode by highlighting several key topics, including the controversial request from the UK for Apple to implement a backdoor in its encryption.

Key Points:

The UK's demand for Apple to create a backdoor into its encryption has sparked significant debate.
US lawmakers, including Senator Ron Wyden and Representative Andy Biggs, have criticized the UK's request, labeling it as an "effective foreign cyber attack."

Notable Quote:

Steve Gibson [10:52]: "If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans' phones, tablets, and computers, undermining the security of Americans' data as well as of the countless federal, state, and local government agencies that entrust sensitive data to Apple products."

3. Discussion on the Term 'Backdoor'

[10:14 - 25:58]

Key Points:

The term "backdoor" traditionally implies a secret method of bypassing security, which doesn't align with the UK's transparent legal request.
Gibson proposes alternative terminology to more accurately describe the requested encryption bypass.
Apple and Google have historically opposed any form of encryption bypass, emphasizing the importance of maintaining data security.

Notable Quote:

Steve Gibson [21:38]: "They want Apple to be holding keys. Apple has said we don't want to be holding keys because that, you know, we don't want that responsibility."

4. Windows Security Updates

[25:35 - 36:24]

Steve provides an overview of recent Windows patches, detailing the nature and severity of the flaws addressed.

Key Points:

February's Windows updates addressed 63 flaws, including two actively exploited zero-days.
The vulnerabilities ranged in severity, with some allowing elevation of privileges and potential remote code execution.
Microsoft has also patched 23 flaws in the Chromium-based Edge browser.

Notable Quote:

Steve Gibson [133:15]: "The problem is useful extensions will usually request 'give me the keys to the kingdom' permission, so these permissions always need to be granted. Essentially, this renders permission prompts useless."

5. Ransom Hub Ransomware Analysis

[41:44 - 53:26]

The discussion shifts to the latest ransomware threat from the group known as Ransom Hub.

Key Points:

Ransom Hub has compromised over 600 organizations across various sectors, including healthcare and finance.
The group leverages previously patched vulnerabilities in Microsoft's Active Directory and NetLogon protocols to escalate privileges.
They employ a Ransomware-as-a-Service (RaaS) model, incentivizing affiliates with an 88% share of ransom proceeds.

Notable Quote:

Steve Gibson [42:18]: "Nobody in the world is aware about the data leak from your company except you and Ransom Hub."

6. Toad Attack (Telephone Oriented Attack Delivery) and Google's Prevention

[54:01 - 62:23]

Steve introduces a new class of attacks termed "TOAD" (Telephone Oriented Attack Delivery), which Google is actively working to mitigate.

Key Points:

Toad attacks involve fraudsters instructing users to change sensitive settings during phone calls to install malicious apps.
Google’s Android 16 Beta 2 includes features that block app sideloading during active phone calls to thwart these attacks.
This preventive measure aims to add friction to common social engineering tactics used by cybercriminals.

Notable Quote:

Steve Gibson [55:48]: "It's a deliberate shutdown in the phone's multitasking system."

7. Texas vs DeepSeek Investigation

[62:23 - 73:38]

The episode covers Texas Attorney General Ken Paxton's investigation into the Deep Seek app, highlighting concerns over data privacy and national security.

Key Points:

Deep Seek, developed by a company with alleged ties to the Chinese Communist Party (CCP), has been banned on Texas government devices.
Concerns revolve around the app's potential to censor information critical of the Chinese government and compromise user data.
New York State and Virginia have also blocked Deep Seek on government devices.
Bipartisan efforts are underway to introduce legislation banning Deep Seek for federal workers.

Notable Quote:

Steve Gibson [68:01]: "Deep Seek appears to be no more than a proxy for the CCP... to undermine American AI dominance."

8. Apple's Restricted Mode and Recent Updates

[73:38 - 86:50]

Steve discusses Apple's restricted mode, recent vulnerabilities, and fixes aimed at enhancing device security.

Key Points:

Apple introduced restricted mode to limit data access on locked devices, especially after prolonged inactivity.
A recently patched vulnerability allowed attackers to disable restricted mode, potentially accessing sensitive data.
Apple’s commitment to security includes blocking data access to devices locked for over an hour, even against sophisticated attacks.
The vulnerability affected a range of Apple devices but has since been addressed in the latest updates.

Notable Quote:

Steve Gibson [85:12]: "The vulnerability as described could have been used to enable unlocking technology similar to that that's in Cellebrite's products, which... allows snoopers to break in devices when they have physical access to them."

9. Story of Lost Bitcoin Wallet

[86:50 - 84:49]

Leo recounts the story of James Howells, who lost a hard drive containing a significant Bitcoin wallet, illustrating the risks of data management.

Key Points:

James Howells misplaced a hard drive containing an $800 million Bitcoin wallet, likely discarded in a landfill.
Despite court battles and offers to purchase the landfill, efforts to recover the drive have been unsuccessful.
The incident underscores the importance of secure data storage, especially for cryptocurrency.

Notable Quote:

Steve Gibson [78:19]: "The wallet contains 8,000 bitcoins. Bitcoin now worth around $100,000 each. Ouch. That's gotta hurt."

10. Chrome Web Store is a Mess

[86:50 - 143:43]

The centerpiece of the episode is a critical analysis of the Chrome Web Store by Wladimir Pallant, a seasoned browser extension developer.

a. Wladimir Pallant's Analysis

Key Points:

Pallant criticizes Google's moderation of the Chrome Web Store, pointing out that automated reviews are insufficient.
Malicious extensions continue to thrive due to ineffective detection and inconsistent human moderation.
Extensions like Reforest and Karma remain available despite evidence of deceptive practices and data exploitation.
The Featured Badge system is compromised, allowing malicious extensions to appear reputable.

Notable Quotes:

Wladimir Pallant [133:15]: "Google's over-reliance on automated tools caused issues from the very start, and it certainly didn't get any better."

Steve Gibson [145:00]: "How could Google get into this mess? Chrome Web Store is a mess."

b. Issues with Chrome Web Store Moderation

Key Points:

Automated systems fail to adequately detect and remove malicious extensions.
Human moderation is inconsistent and often reactive rather than proactive.
Policy loopholes allow extensions to exploit user data without immediate repercussions.
Review spamming tactics inflate the credibility of malicious extensions through fake positive reviews.

Notable Quote:

Wladimir Pallant [133:15]: "For a decade my recommendation for Chrome users has been to stay away from Chrome Web Store if possible."

c. Malicious Extensions and Fake Reviews

Key Points:

Extensions often receive inundated positive reviews artificially, masking their malicious intent.
Pallant highlights specific extensions like BlazeVPN and Safeum VPN, which continue to receive the Featured Badge despite being non-functional or malicious.
The lack of effective review cleansing undermines user trust and the overall security of the Chrome ecosystem.

Notable Quote:

Wladimir Pallant [92:51]: "Chrome Web Store is a mess. It's frustrating and dangerous for users."

d. Featured Extensions and Their Credibility

Key Points:

The Featured Badge is misleading, as extensions with questionable or malicious practices still receive this designation.
Pallant cites examples where featured extensions perform no legitimate functions yet are promoted heavily within the store.
Google's inability to maintain the integrity of featured extensions contributes to the overarching mess.

Notable Quote:

Steve Gibson [143:43]: "The title Wladimir gave to his extremely informative blog posting of Chrome Web Store is a mess. Seems entirely fitting."

11. Conclusion

Notable Quote:

Steve Gibson [143:43]: "We are individually on our own, knowing all the things that are wrong... so stick with a also-ran browser where the browser I'm using is not as big a target as Chrome."

12. Additional Insights and Recommendations

Use Trusted Browsers: Given the security issues with Chrome Web Store, users are encouraged to use browsers with more rigorous extension reviews.
Be Cautious with Permissions: Extensions often request extensive permissions that can compromise user data. Users should critically assess why an extension needs certain permissions.
Monitor Extension Activity: Regularly review installed extensions and remove those that are unnecessary or suspicious.
Support Greater Moderation Efforts: Advocate for improved moderation practices in browser extension stores to enhance overall security.

End of Summary

wavePod

Powered by Wave AI

Summary

1. Introduction

2. UK Apple Encryption Backdoor and US Response

3. Discussion on the Term 'Backdoor'

4. Windows Security Updates

5. Ransom Hub Ransomware Analysis

6. Toad Attack (Telephone Oriented Attack Delivery) and Google's Prevention

7. Texas vs DeepSeek Investigation

8. Apple's Restricted Mode and Recent Updates

9. Story of Lost Bitcoin Wallet

10. Chrome Web Store is a Mess

a. Wladimir Pallant's Analysis

b. Issues with Chrome Web Store Moderation

c. Malicious Extensions and Fake Reviews

d. Featured Extensions and Their Credibility

11. Conclusion

12. Additional Insights and Recommendations

Summary

1. Introduction

2. UK Apple Encryption Backdoor and US Response

3. Discussion on the Term 'Backdoor'

4. Windows Security Updates

5. Ransom Hub Ransomware Analysis

6. Toad Attack (Telephone Oriented Attack Delivery) and Google's Prevention

7. Texas vs DeepSeek Investigation

8. Apple's Restricted Mode and Recent Updates

9. Story of Lost Bitcoin Wallet

10. Chrome Web Store is a Mess

a. Wladimir Pallant's Analysis

b. Issues with Chrome Web Store Moderation

c. Malicious Extensions and Fake Reviews

d. Featured Extensions and Their Credibility

11. Conclusion

12. Additional Insights and Recommendations